1 / 17

Flow-based Management Language

Designing a policy language to simplify network configuration without losing expressiveness using flow-based management. Maintaining today's expressiveness, supporting high-level naming, enabling clear traffic treatment, and supporting composition and exception policy models.

steventhomas
Download Presentation

Flow-based Management Language

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Flow-based Management Language Tim Hinrichs Natasha Gude* MartínCasado John Mitchell Scott Shenker University of Chicago Stanford University Stanford University Stanford University ICSI/UC Berkeley

  2. Network Configuration Today • Distributed state • VLANs, subnets, ACLs, NAT, routing policies… • Problems • Low-level, indirect mechanisms[Maltz04] • Topology-dependent[Bellovin99] • Connectivity is difficult to reason about[Xie04]

  3. Our Goal Design a policy language to simplify network configuration without loss of today’s expressiveness.

  4. Language Goals • Maintain Today’s Expressiveness • Support High-level Naming • “Guests must send all HTTP traffic via a proxy” • Single Point of Declaration • Clear how traffic will be treated • Support Composition and Exception Policy Models • Performance • Amenable to efficient implementation • Extensibility • Multiple Authorship

  5. FML Overview • Form of nonrecursive Datalog • Flow-based An FML policy is a set of rules declared over a flow and its high-level attributes • Attributes include src/dst access points, hosts, and users • Rules that match a flow dictate its policy

  6. Rule Definition action :- condition h :- []b1∧ … ∧[]bn “Guest users must send all HTTP traffic via a proxy” allow(Flow) :- guest(Usrc) ∧http = Prot ∧ proxy(Hdst)

  7. allow(Flow) :- guest(Usrc) ∧http = Prot ∧ proxy(Hdst) allow(Flow) :- guest(Usrc) ∧http= Prot ∧proxy(Hdst) allow(Flow) :- guest(Usrc) ∧http = Prot ∧ proxy(Hdst) allow(Flow) :- guest(Usrc) ∧http = Prot ∧ proxy(Hdst) allow(Flow) :- guest(Usrc) ∧http = Prot ∧proxy(Hdst) NAC Actions allow waypoint rate-limit deny Variables access points hosts users protocol flow header tuple An FML policy is an unordered set of rules

  8. Example Rules # Require authentication http_redirect(Flow) :- unauthenticated = Usrc∧http = Prot # Define group behavior allow(Flow) :- (registered(Hsrc) | registered(Hdst)) ∧http = Prot waypoint(Flow, proxy) :- guest(Usrc) ∧http = Prot rate-limit(Flow, 1Mbps) :- students(Usrc) |students(Udst) # Quarantine hosts deny(Flow) :- blacklist(Hsrc) |blacklist(Hdst) # Isolate hosts deny(Flow) :- classified(Hsrc) ∧unclassified(Hdst)

  9. Policy Model Goals • Exception Model waypoint(Flow, proxy) :- guest(Usrc) ∧http = Prot deny(Flow) :- guest(Usrc) • Composition Model waypoint(Flow, proxy) :- guest(Usrc) ∧http = Prot rate-limit(Flow, 1Mbps) :- http = Prot

  10. Conflict Resolution • Action Reconciliation deny > [ waypoint, rate-limit ] > allow • Ordering of Rule Sets Policy 1 > Policy 2 waypoint(Flow, proxy) :- guest(Usrc) ∧http = Prot cascade() deny(Flow) :- guest(Usrc)

  11. Implementation Requirements • At least per flow interposition • Name-to-address bindings Any system providing these capabilities can support FML.

  12. NOX • Openflow Controller • Maintains Global View of Topology • Dictates Switch Behavior • Provides Authentication Framework

  13. Policy Engine Policy Compiler Namespace Flow Actions Auth Bindings Rule Lookup + Flow

  14. Performance Flows/second # FML Rules

  15. Deployment Experience • Medical University Network in Japan • 200 hosts • In-use for 10 months • 40 line policy • NAC-focused http_redirect(Flow) :- unauthenticated = Usrc∧ (workstation(Hsrc) | laptop(Hsrc)) ∧http = Prot

  16. Ongoing Work • Distribute Policy Enforcement • Virtualized Datacenter Support in Progress • Expand FML to Define Actions • Conflict Resolution Scheme • Administrator Debugging Tools

  17. Questions?

More Related